Tor and ISP - need help.


Sorry for my english.

In my threat model, I hide the use of TOR from ISP. Why do I need it? - To protect against traffic analysis. My opponent is at the state level, but not global. It controls the network from where I enter the TOR, and can compare the time of entry into the TOR network and my specific actions on the network. My goal of using WHONIX is to anonymously communicate with another unknown person. This person can be a partially trusted person or an adversary. That is, he can compare the time of entering the TOR network and the time of receiving messages from me. Because, this person with whom I communicate can be an adversary. I understand that there are many TOR users in my country, and the correlation will take a lot of time, but this is possible over a long period of time. Users with the same login time and sent message will be registered, and in the end it will lead to me. How to avoid?

Here are some of my thoughts:

  1. Tor via VPN
  2. Use replaceable transports?
  3. I need to reply to messages at the appointed time. This means that I need to log into the TOR network at a different time before sending messages and receiving them. Logging out of the TOR network should also be different from the time the last message was sent, right?
  4. My best idea is to use a dedicated server with Whonix inside KVM with x2go connecting to the server. I don’t like the speed of interaction, but if it protects me, then speed is not important.

In the first case, VPNs are often criticized for an additional attack surface. If the main problem is that a global attacker could have access to the VPN provider’s network, then this is not critical for my threat model. I am sure that having a VPN server where the stream is located in Iceland, then my opponent, obviously, will not have information about the traffic of this country, this is not his jurisdiction. I also read that the VPN partially hides the use of TOR, that is, DPI can detect that I am still using TOR. It’s right? Does this happen in passive mode or purpose?
The use of bridges is also determined by DPI. Do I need to use WHONIX on a dedicated server? What thoughts?

Tor does that. Bridges are the best way to hide Tor activity temporarily. Nothing works against retroactive policing.

1 Like

DPI is a tough technique to beat (consistently)
Bridges would indeed offer the best protection since they use the obfs4 protocol.
If the bridges themselves are also a problem, maybe have a trusted friend set his connection up as a bridge relay and connect that way.
Or a VPS service and then connect to the bridge from the VPS. Of course that involves trust as well.
There are tools like stunnel as well which would simply wrap your connection to the VPS in SSL. Or you could use an obfs4proxy wrapper instead of stunnel.
The thing is, the more steps required, the more of a chance there is to make an error. That goes for total beginners and experts alike.
For fun I once forced all connections from the Workstation to the Gateway through an OpenVPN server running on the Gateway and client setup on Workstation. Then I wrapped that in obfs4proxy. By the time I was done, there were 2 clients, 2 servers, many certificates, several config files, a systemd service, a tunnel inside a tunnel and iptables adjustments, etc. It got complicated quickly. Since each depended on the other, a bottleneck anywhere in that chain resulted in total connection failure. While it worked as it was supposed to (verified through logs and wireshark pcap files) there were just too many moving parts to be an everyday thing.

1 Like